Can anyone tell me if my stored procedure can be hit by SQL injection. Here is one example:
On the database: ALTER PROCEDURE [dbo].[usp_ValidateLogin] -- Add the parameters for the stored procedure here @shipper nvarchar(10), @password nvarchar(800), @email nvarchar(800) OUTPUT AS BEGIN
DECLARE @isFirstLogin Int --Return Value SET @isFirstLogin = -1
-- SET NOCOUNT ON added to prevent extra result sets from -- interfering with SELECT statements. SET NOCOUNT ON;
SELECT @isFirstLogin = isFirstLogin, @email = email FROM tbl_Registered_Users WHERE shipper = @shipper AND Password = @password
RETURN @isFirstLogin
END
And here's how its being called via ASP. set cmdLogin = Server.CreateObject("ADODB.Command") With cmdLogin .ActiveConnection = dbConnLogin .CommandText = "usp_ValidateLogin" .CommandType = adCmdStoredProc .Parameters.Append .CreateParameter("RETURN_VALUE", adInteger, adParamReturnValue) .Parameters.Append .CreateParameter("@shipper", adVarWChar, adParamInput,10, shipperID) .Parameters.Append .CreateParameter("@password", adVarWChar, adParamInput,800, password) .Parameters.Append .CreateParameter("email", adVarWChar, adParamOutput,800) .Execute ,, adExecuteNoRecords
'extract the return value isFirstLogin = .Parameters ("RETURN_VALUE") eEmail = .Parameters.Item ("email") End With